Making the Use of Access Cards less sucky

IMPACT: Non-privileged primitive users can cause the total destruction of your entire invasion fleet and gain unauthorized access to files.
CERT Advisory CA-96.13

Some organizations use access cards to determine which employees can access which building and room(s). After these kinds of access cards were introduced at the university I am working, it was interesting to see how people deal with using these cards.

The cards used are the university employee identification cards, which we are supposed to carry with us anyway. But you usually only need those cards if you drive onto the campus, or, more frequently, to get cheaper prices in the cafeteria. But now you had to access the cards in a different setting — in the department itself — and much more frequently, any time you want to open a door to some rooms (currently only meeting room, labs, the room with the copier and mail, etc.).

To have the card available, some employees started to use plastic card holders clipped to their belts/trouser pockets, others kept it in their wallets, others simply in their jacket pockets.

Frankly, I’m not a fan of these cards, especially in creative environments (see posting here). But besides the attempts to surveil and control every aspect of the employees time at work, wearing them visible on the body increases the felt surveillance … and they have the aesthetic appeal of a name tag.

It might be one thing at a conference, where these name tags actually make sense (they are not only for people working in retail). But in a good organization with people working together (and not only next to each other), people should know each other. Yeah, academia is always temporary (unless you’ve got tenure), but it shouldn’t require the use name tags.

Personally, I would much prefer physical keys. You can wear them easily on a keychain, secured with a small metal chain to the belt. Easily accessible as the very small pockets inside the larger pockets of my trousers are perfect for carrying a keychain (if secured with the chain; plus: leaves no digital traces). Next up would be a transponder — with the size of a medium sized coin it still fits on the keyring and is at least as quickly accessible (minus: leaves digital traces). But the cards — they are large, inconvenient to carry in pockets (with enough movement, the plastic can cut open the pockets), and they leave digital traces. But … I have to carry it. Meh.

So, so far, I’ve found three possible ways to make the use of these cards less sucky:

Wear it on the wrist, inside a sweatband.

The “I don’t care what it looks like, I care what it can do” solution. There are sweatbands available that allow you to carry cards comfortably. The pocket has to be alongside your wrist (and not in a 90° angle to it — unless you have very, very thick wrists).

This is my currently preferred solution (as it’s the only legal one), although I am likely going to sew my own sweatbands, using lighter materials that look better in an office. Not being that concerned with physical appearance does have its advantages, although you pay heavily for it in other areas.

But the card is read through the fabric, allowing me to simply put my wrist on the reader to open the doors. Looks worse than a physical key or transponder on a keyring, but actually much quicker and easier to use than the keyring. Only disadvantage beside the looks: It makes the card easily accessible for hackers if they want to copy the card. You are essentially wearing your key on your wrist. But then, if someone wants to copy it, hey, they can even do it though your trousers pocket.

Clone the chip onto a small transponder to wear it on the keychain.

The “now we’ve crossed into the illegal and likely fire-able territory” solution. Depends largely on how secure the card really is. Unless the company who produced them uses specialized hardware that is not available elsewhere, it should be possible to clone the card. And depending on the hardware, also to clone it onto a transponder. That would allow me to continue to use my university identification card and access rooms easily via the transponder. Downsides: Illegal (I doubt the university would agree to a “security test”) and highly visible. People would see me open doors with another object but the card, which would raise questions, and those likely have … negative consequences.

Find out the size of the chip inside the card, and if small enough, cut the card to a more comfortable size

The “I’m not clever enough to clone the card but still want the chip in a more convenient size” solution. Currently unavailable, as the access card doubles as university identification card. Would be at least damage to property, given that I don’t actually own the card. But if the actual chip is small enough it would allow me to carry it as a transponder-like object on my keyring, or attach it to the wristband of my wristwatch. That would be much more comfortable than using the thin yet large card.

 

So, for the moment, the sweatband has it. Next up I’ll take up a bit of sewing to create a more fitting form for the office. Something that can be worn comfortably and even stylish’ly beneath a shirt (even a long-sleeved one). Strange that this apparently isn’t available yet, given how many people have to carry these cards.

Might be a market niche.